ClawHub

Claude Connect

Security checks across malware telemetry and agentic risk

Overview

This skill is a high-impact credential refresher that mostly matches its stated purpose, but it copies live OAuth tokens, installs a persistent background job, and auto-detects notification recipients from local Clawdbot data with insufficient scoping.

Install only if you specifically need this legacy refresher; the README says current Clawdbot handles Claude OAuth natively. Before running install.sh, review the launchd job, decide whether notifications should be disabled or manually configured, and understand that Claude OAuth refresh tokens will be copied from Keychain into a local Clawdbot auth file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (35)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly documents shell execution and file writes, including modifying auth files and installing a launchd job, but the metadata declares no permissions. That undermines informed consent and prevents users or policy engines from accurately evaluating the skill's capabilities before installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The description frames the skill as a simple connection helper, but the documented behavior includes credential extraction from Keychain, token replication into another app, persistence via launchd, gateway restarts, and optional notifications. This mismatch can mislead users into authorizing a much more privileged workflow than they reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation describes behavior centered on auto-detecting notification channels from ~/.clawdbot/clawdbot.json and generating a local config.json, which materially differs from the stated skill purpose of linking a Claude subscription and auto-refreshing tokens. This kind of scope mismatch is dangerous because it can mislead users into granting trust to a skill that accesses unrelated local data and performs side effects they would not reasonably expect from the manifest description.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file advertises and documents a different skill name and operational purpose ('claude-oauth-refresher') than the manifest-provided skill ('claude-connect'). This kind of identity and purpose mismatch is dangerous because it can conceal the true behavior of the installed skill, mislead users and reviewers, and reduce the chance that sensitive OAuth/token-handling functionality receives appropriate scrutiny.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented behavior emphasizes ongoing OAuth token refresh, installer automation, and persistent background operation, which is materially broader and more sensitive than a simple 'connect Claude to Clawdbot' description. In a skill context, this mismatch increases risk because users may authorize installation expecting a benign connector while actually deploying a long-lived credential-management component.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The summary states the skill reads Clawdbot configuration to detect enabled messaging channels and extract chat IDs, user IDs, or phone numbers, which exceeds the narrowly described purpose of linking Claude and refreshing tokens. Accessing another application's configuration to harvest personal/contact identifiers creates unnecessary data exposure and expands the trust boundary without clear need or explicit consent language.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Inspecting multi-channel messaging settings and extracting user/contact identifiers is not clearly justified by the stated function of keeping Claude connected and refreshing OAuth tokens. This unnecessary capability increases privacy risk because it can reveal personal identifiers across Telegram, Slack, Discord, WhatsApp, iMessage, or Signal even when only one notification method may be needed.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description frames the script as merely linking a subscription and refreshing tokens, but this block also rewrites Clawdbot's auth-profiles.json and changes profile ordering/lastGood state. That broader credential and runtime reconfiguration increases trust requirements and can unexpectedly alter how Clawdbot authenticates, which is security-relevant because it silently persists tokens into another credential store.

Description-Behavior Mismatch

Low
Confidence
81% confidence
Finding
This section can send chat notifications through Clawdbot, which is not disclosed by the stated purpose of linking and refreshing tokens. Hidden messaging capability is dangerous because it creates an undocumented outbound communication path that could be repurposed for signaling, spam, or operational leakage.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script can send arbitrary messages to a configured Clawdbot target via clawdbot message send, a capability unrelated to the core token-refresh task. Even though the current messages are fixed by the script, the configurable target creates an unnecessary communications primitive that broadens the attack surface and could leak operational state to external recipients.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Restarting the Clawdbot gateway is broader system control than a token refresh strictly requires and is not clearly disclosed by the skill description. This can disrupt running workflows, trigger availability issues, and give the script operational control over another service beyond credential maintenance.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script performs extensive host inspection, including OS checks, installed software, local config discovery, gateway status checks, filesystem probing, and credential-store inspection. While some checks are plausible for setup validation, the breadth exceeds a minimal verifier and increases privacy and attack-surface concerns for a skill whose stated purpose is simply linking Claude to Clawdbot and refreshing tokens.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script enumerates all matching Keychain entries via `security dump-keychain` and then reads each candidate secret with `security find-generic-password -w`, which retrieves the stored password payload. Even though it only tests for JSON fields, this still accesses live credential material and broadens exposure beyond a simple existence check, especially for a script advertised as a setup verifier.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The flow explicitly instructs the installer to read a local user configuration file and create or overwrite config.json, but the documentation does not present a clear warning, consent step, or data-handling notice before those actions occur. In a skill context, silent access to local messaging identifiers and automatic file generation increases privacy and integrity risk because users may not understand that personal chat IDs, phone numbers, or account identifiers are being harvested and persisted.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly describes reading messaging identifiers from a user config file and selecting a notification target, but it provides no warning that chat IDs, user IDs, phone numbers, and email-like targets are sensitive personal data. In the context of a skill whose purpose is to keep a third-party service connected '24/7' and auto-refresh tokens, normalizing silent extraction of those identifiers increases the risk of covert collection, misuse, or redirection of notifications to an attacker-controlled destination.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The fallback behavior instructs the system to query message history to infer the target ID, which goes beyond reading static configuration and touches historical communications metadata. In this skill's context, that is more dangerous because it enables silent harvesting of recipient/chat identifiers from prior messages, potentially exposing private contacts and enabling persistent outbound notification routing without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quickstart directs users to run install and uninstall scripts as a single-step setup flow without clearly warning that they will create and load a launchd agent, modify local configuration, and establish a recurring background process. In a security-sensitive skill that manages authentication tokens, minimizing disclosure about persistent system changes increases the risk of users granting broad trust to opaque automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide promotes auto-detection of notification settings and setup verification without warning that these steps may inspect local configuration, use Keychain-backed credentials, or identify notification endpoints such as Telegram targets. In the context of a token-refreshing integration, silent discovery and use of account or messaging metadata can expose sensitive information or normalize unnecessary credential access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill describes handling OAuth access and refresh tokens, copying them from secure storage, and sending them through refresh flows without giving a clear warning that these are sensitive credentials. Users may run the skill without understanding that compromise of the destination files, logs, or notification path could expose their session.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documented behavior describes automatic reading of another app's config and extraction of personal identifiers without an explicit warning or informed-consent step. Even if intended for convenience, silently reading chat IDs, user IDs, or phone numbers is a privacy issue because users may not expect these values to be parsed and reused.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script reads notification routing data from local Clawdbot session files and prints the detected channel and recipient target to stdout without any consent prompt, masking, or disclosure. Those values can include personally identifying contact details such as phone numbers, usernames, chat IDs, or account identifiers, which creates a privacy leak if the script is run by another tool, logged, or exposed to an untrusted caller.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This block writes both access and refresh tokens into auth-profiles.json without explicit warning or confirmation, expanding credential exposure from Keychain into a plaintext-accessible file under the user's home directory. Persisting long-lived refresh credentials in another location materially increases the risk of token theft by local malware, other processes, backups, or accidental disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script deletes and recreates the Keychain credential entry with updated OAuth material without explicit user warning that stored credentials will be modified. Silent mutation of a privileged credential store is security-sensitive because it can change account state, break existing access patterns, or overwrite trusted data unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script reads Keychain secret contents without an explicit, informed warning that credential payloads will be accessed during verification. Users may reasonably expect a status check to verify presence only, not retrieval and parsing of stored OAuth material, making this an unsafe transparency and consent failure around credential handling.

Ssd 3

High
Confidence
93% confidence
Finding
The skill's core workflow is to extract OAuth credentials from Keychain and copy them into another tool's auth file, with optional external notifications. Any workflow that normalizes moving live tokens out of secure storage expands the attack surface and increases the chance of credential disclosure, misuse, or replay.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal